diff options
Diffstat (limited to 'src/krb524/README')
-rw-r--r-- | src/krb524/README | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/src/krb524/README b/src/krb524/README new file mode 100644 index 0000000000..6f829313d8 --- /dev/null +++ b/src/krb524/README @@ -0,0 +1,120 @@ +Copyright 1993 by Geer Zolot Associates. All Rights Reserved. + +Export of this software from the United States of America is assumed +to require a specific license from the United States Government. It +is the responsibility of any person or organization contemplating +export to obtain such a license before exporting. + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +distribute this software and its documentation for any purpose and +without fee is hereby granted, provided that the above copyright +notice appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, and that +the name of Geer Zolot Associates not be used in advertising or +publicity pertaining to distribution of the software without specific, +written prior permission. Geer Zolot Associates makes no +representations about the suitability of this software for any +purpose. It is provided "as is" without express or implied warranty. + +$Id$ + +Kerberos V5 to Kerberos V4 Credentials Converting Service, ALPHA RELEASE +======================================================================== + +krb524 is a service that converts Kerberos V5 credentials into +Kerberos V4 credentials suitable for use with applications that for +whatever reason do not use V5 directly. The service consists of a +server that has access to the secret key of the Kerberos service for +which credentials will be converted, and a library for use by client +programs that wish to use the server. + +The protocol is simple. Suppose that a client C wishes to obtain V4 +credentials for a V5 service S by using the krb524 server. The +notation {C,S}_n represents a Vn service ticket for S for use by C. + +(1) C obtains V5 credentials, including a ticket {C,S}_5, for S by the +normal V5 means. + +(2) C transmits {C,S}_5 to KRB524. + +(3) KRB524 converts {C,S}_5 into {C,S}_4. + +(4) KRB524 transmits {C,S}_4 to C. + +(5) C creates a V4 credentials strucuture from the plaintext +information in the V5 credential and {C,S}_4. + +Steps (2) through (4) are encapsulated in a single function call in +the krb524 library. + +Obviously, not all V5 credentials can be completely converted to V4 +credentials, since the former is a superset of the latter. The +precise semantics of the conversion function are still undecided. +UTSL. + +Programs contained in this release +====================================================================== + +krb524d [-m[aster]] [-k[eytab]] + +The krb524 server. It accepts UDP requests on the krb524 service +port, specified in /etc/services, or on port 4444 by default. (A +request for an official port assignment is underway.) The -m argument +causes krb524d to access the KDC master database directly; the -k +argument causes krb524d to use the default keytab (and therefore only +be able to convert tickets for services in the keytab). Only one of +-m or -k can be specified. + +test -remote server client service + +A test program that obtains a V5 credential for {client,service}, +converts it to a V4 credential, and prints out the entire contents of +both versions. It prompts for service's secret key, which it needs to +decrypt both tickets in order to print them out. Enter it as an eight +digit ASCII hex number. + +k524init [-n] [-p principal] + +Convert a V5 credential into a V4 credential and store it in a V4 +ticket file. The client is 'principal', or krbtgt at the V5 ccache's +default principal's realm if not specified. The -n argument causes +the new ticket to be added to the existing ticket file; otherwise, the +ticket file is initialized. + +Using libkrb524.a +====================================================================== + +To use libkrb524.a, #include <krb524.h>, link against libkrb524.a, +call krb524_init_ets() at the beginning of your program, and call one +of the following two functions: + +int krb524_convert_creds_addr(krb5_creds *v5creds, CREDENTIALS *v4creds, + struct sockaddr *saddr) + +int krb524_convert_creds_kdc(krb5_creds *v5creds, CREDENTIALS *v4creds) + +Both convert the V5 credential in v5creds into a V4 credential in +v4creds. One assumes krb524d is running on the KDC, the other uses an +explicit host. You only need to specify the address for saddr; the +port is filled in automatically. + +Unresolved issues / Bugs +====================================================================== + +o krb524d requires access to the secret key of any service to be +converted. Should krb524d run on the KDC or on individual server +machines? The latter is more paranoid, since it prevents bugs in +krb524d from provided unauthorized access to the master database. +However, it also requires the client to provide the address of the +server to be used. The client will usually have this information +(since presumably it will be sending the converted V4 credentials to +the same server) but it may not be in a convenient form. It seems +"cleaner" to have krb524d run on the KDC. + +o Even if krb524d uses keytabs on server machines, it needs to be more +flexible. You only want to run one krb524d per host, so it has to be +able to scan multiple keytabs. This might get logistically messy. + +o This code is of alpha quality. Bugs, omissions, memory leaks, and +perhaps security holes still remain. Do not use it (yet) in a +production environment. |